- Yes
- You add a path for reauthsecure in the host name section in the <RequestMap> subelement of the <RequestMapper> element
- It will be a popup window that looks like your Windchill SSO
- It is all part of the popup window, should be relatively seamless. The way the process works is it uses the SSOReauthentication.jsp gets the user id from the Windchill session and in the new window a fresh session is created., Windchill then checks the username and compares it to the logged in user. if they don't match - then it will fail.
shibboleth2.xml additions
<RequestMapper type="Native">
<RequestMap>
<Host name="<YOUR HOST>" scheme="https" port="443">
<Path name="secure" .../>
<!-- added below to allow for reauth on esignatures -->
<Path name="reauthsecure" authType="shibboleth" requireSession="true" ... applicationId="reauthsecure" />
</Host>
</RequestMap>
</RequestMapper>
The settings in ApplicationOverride are similar to the settings to the application default.
<ApplicationOverride id="reauthsecure" entityID="<WC ENTITY ID>"
REMOTE_USER="<YOUR ATTRIBUTES>"
cipherSuites="<YOUR CIPHER SUITES>" >
<Sessions>
<SSO>
</SSO>
</Sessions>
<MetadataProvider> </MetadataProvider>
</ApplicationOverride>
</ApplicationOverride>
</ApplicationDefaults>
00-1mod_shib.conf additions
#
<Location /reauthsecure/Shibboleth.sso>
AuthType None
require shib-session false
</Location>
#
Alias /Windchill/reauthsecure/ "/reauthsecure/Shibboleth.sso/Login"
<Location /reauthsecure>
AuthType shibboleth
ShibRequestSetting applicationId reauthsecure
require shib-session
</Location>
30-app-windchill-1auth.conf additions
<LocationMatch ^/+Windchill/reauthsecure?>
AuthType shibboleth
ShibRequestSetting applicationId reauthsecure
ShibUseHeaders on # mod_jk doesn't pass environment, so useHeaders is required
require shib-session
</LocationMatch>
wt properties / xconf
<Property name="wt.org.electronicIdentification.class" overridable="true"
targetFile="codebase/wt.properties"
value="wt.workflow.engine.SSOConfiguredSignatureEngine"/>
<Property name="wt.servlet.sessionCookiePattern" overridable="true"
targetFile="codebase/wt.properties"
value="_shibsession_.*"/>
<Property name="wt.servlet.sessionCookie" overridable="true"
targetFile="codebase/wt.properties"
value="JSESSIONID"/>
Additionally, if you use an attribute other than uid for authentication for WC, you need to change it like this (change uid to whatever attribute you need) :
<Install location>\Windchill_12.0\Windchill\codebase\reauthsecure\SSOReauthentication.jsp
<%
HttpSession sessionHttp = request.getSession();
request.getSession().setAttribute("newIDPAuthorizedUser", request.getHeader("uid"));
%>